GlockTalk.com
Home Forums Classifieds Blogs Today's Posts Search Social Groups



  
SIGN-UP
Notices

Glock Talk
Welcome To The Glock Talk Forums.

 
  
Reply
 
Thread Tools Display Modes
Old 01-02-2006, 13:48   #1
Toyman
Senior Member
 
Toyman's Avatar
 
Join Date: May 2003
Location: West Michigan
Posts: 3,856
Zero Day WMF Exploit - Possible worst ever!

This is bad, real bad. Make that very real bad.

Anyone following this exploit in the news? I've posted some links on my blog about this: http://www.fishous.com/?p=14

Just wondering if any of you might have some other good links and news coverage?
__________________
Mike - A forum post should be like a skirt. Long enough to cover the subject material, but short enough to keep things interesting.
"It's not about the odds, it's about the stakes." -
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
Toyman is offline   Reply With Quote
Old 01-02-2006, 14:05   #2
podwich
Senior Member
 
podwich's Avatar
 
Join Date: Sep 2000
Location: MI
Posts: 9,330
Here's a patch by Ilfak Guilfanov that should protect you until MS comes out with an official one. http://www.grc.com/sn/notes-020.htm
podwich is offline   Reply With Quote
Old 01-03-2006, 10:46   #3
nickg
Senior Member
 
nickg's Avatar
 
Join Date: Jan 2002
Posts: 4,460
you can also get more info here and download the fix as well:

http://www.hexblog.com/2005/12/wmf_vuln.html
__________________
I may be wrong, but I'm not wrong long.
nickg is offline   Reply With Quote
Old 01-03-2006, 11:59   #4
havensal
CLM Number 216
Nozzle Jockey
 
havensal's Avatar
 
Join Date: Aug 2003
Location: Western, NY
Posts: 4,471
Here is a copy of an emal I recieved.

SERIOUS WINDOWS FLAW



In the past several days, I have become aware of a serious flaw within Windows (all versions 95 through XP) that Microsoft has not patched as of yet. Articles I have read have made it clear this is a serious flaw, and that hackers immediately stepped up their attempts to take advantage of this opportunity to infect PC's around the world. A brief article is at the following address: http://news.com.com/2001-1009_3-0.html?tag=ne.tab.hd



This one, from the Internet Storm Center, makes it seem even more serious: http://isc.sans.org/diary.php?rss&storyid=996



With windows not providing a fix for the problem as of yet and antivirus/firewall programs having limited ability to stop any attack attempt, experts are suggesting a fix to patch the flaw. I have found a file that is supposed to be effective and safe to install-- it is mentioned in the link above, created by Ilfak Guilfanov. Follow the link below:



http://grc.com/sn/notes-020.htm



If you go to this site, you can read more about the problem and decide for yourself if you want to install the patch (the green box near the bottom of the page). Steve Gibson, who runs this site and his 'Security Now' podcast, is a security expert and I for one trust what he is saying. I have installed the fix on my 2 computers and have had no ill effects and I've not heard of any problems caused by this fix. The internet storm center says "We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective."



Once Microsoft repairs the problem and your version of Windows is updated, you can uninstall the patch like any other program.



I normally don't go to clients with issues such as this, but I felt it serious enough to pass on the information and let you make an informed decision. If you have any questions, please don't hesitate to contact me.



Sincerely,

Barry
__________________
RTN Bodyguard Club #034 "FearMyLaserLytes"
havensal is offline   Reply With Quote
Old 01-03-2006, 12:12   #5
havensal
CLM Number 216
Nozzle Jockey
 
havensal's Avatar
 
Join Date: Aug 2003
Location: Western, NY
Posts: 4,471
Does anyboy have the file in the links above? The sites seem to be down.;g

Ok, I got a copy. Here is a link to a copy I am hosting.

http://www.s94257325.onlinehome.us/T..._hexblog14.exe
__________________
RTN Bodyguard Club #034 "FearMyLaserLytes"

Last edited by havensal; 01-03-2006 at 13:22..
havensal is offline   Reply With Quote
Old 01-03-2006, 13:01   #6
StoneGiant
Senior Member
 
StoneGiant's Avatar
 
Join Date: May 2003
Location: Derry, NH
Posts: 12,693


Does anyone know if the "fix" is clean? If it has been certified, then why hasn't the Gates Crew paid some money to the developer and redistributed it?
__________________
“Great danger lies in the notion that we can reason with evil.”
StoneGiant is offline   Reply With Quote
Old 01-03-2006, 13:09   #7
johnstrr
In the Garden
 
johnstrr's Avatar
 
Join Date: Oct 2005
Posts: 591
I have run it on my machine and it is recommended by ISC so it's probably a safe bet...

it's available as a .msi from the above site...
johnstrr is offline   Reply With Quote
Old 01-04-2006, 07:57   #8
Toyman
Senior Member
 
Toyman's Avatar
 
Join Date: May 2003
Location: West Michigan
Posts: 3,856
Quote:
Originally posted by StoneGiant
Does anyone know if the "fix" is clean? If it has been certified, then why hasn't the Gates Crew paid some money to the developer and redistributed it?
The fix is clean, it comes with the code for it, which Steve Gibson of GRC.com has reviewed. It's a tiny bit of code.
__________________
Mike - A forum post should be like a skirt. Long enough to cover the subject material, but short enough to keep things interesting.
"It's not about the odds, it's about the stakes." -
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
Toyman is offline   Reply With Quote
Old 01-04-2006, 08:01   #9
StoneGiant
Senior Member
 
StoneGiant's Avatar
 
Join Date: May 2003
Location: Derry, NH
Posts: 12,693


Quote:
Originally posted by Toyman
The fix is clean, it comes with the code for it, which Steve Gibson of GRC.com has reviewed. It's a tiny bit of code.
After reviewing the notes at Internet Storm Center, I implemented the "fix".

And isn't the Gates Crowd a wonder? We get to wait until the 10th for their fix to a known problem. As Dan Rather would say,

  • "Courage."
__________________
“Great danger lies in the notion that we can reason with evil.”
StoneGiant is offline   Reply With Quote
Old 01-04-2006, 09:57   #10
Toyman
Senior Member
 
Toyman's Avatar
 
Join Date: May 2003
Location: West Michigan
Posts: 3,856
Quote:
Originally posted by StoneGiant
...And isn't the Gates Crowd a wonder? We get to wait until the 10th for their fix to a known problem. ...
You have no idea just how large and complex the Windows Environment is. They have to regression test against numerous things, including all the development environments and hundreds of products.

If this thing was released right away and broke something, the first thing you guys would say is "Why didn't MS test it?" They can't win for loosing with you guys. Maybe there's an app or something that uses the escape sequence functionality, which is probably why it's in there in the first place, duh.

And yes, I do have an idea of how extensive it is, I used to work for Microsoft, in testing and in development.
__________________
Mike - A forum post should be like a skirt. Long enough to cover the subject material, but short enough to keep things interesting.
"It's not about the odds, it's about the stakes." -
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
Toyman is offline   Reply With Quote
Old 01-04-2006, 10:10   #11
StoneGiant
Senior Member
 
StoneGiant's Avatar
 
Join Date: May 2003
Location: Derry, NH
Posts: 12,693


I, too, have extensive software engineering experience. One of my programs was a flight simulator / Monte Carlo analysis that took 11 HP9000's 26 hours to run.

Even back in the dark ages of 1992 I employed automatic regression test software; your assertion that MS is too complex to test in a timely manner implies a lack of well-architected scope and extension.

Two questions for you:
  1. How long has Microsoft known about the security flaw, and why have they been so slow in responding?
  2. Are you saying that the "fix" as published on the Internet is too simple? On the surface, it appears to lack the kind of complexity that demands over a week of testing by an organization with arguably the greatest software development resources in the world.
__________________
“Great danger lies in the notion that we can reason with evil.”
StoneGiant is offline   Reply With Quote
Old 01-04-2006, 10:56   #12
Toyman
Senior Member
 
Toyman's Avatar
 
Join Date: May 2003
Location: West Michigan
Posts: 3,856
Quote:
Originally posted by StoneGiant
...Even back in the dark ages of 1992 I employed automatic regression test software; your assertion that MS is too complex to test in a timely manner implies a lack of well-architected scope and extension.

Two questions for you:
  1. How long has Microsoft known about the security flaw, and why have they been so slow in responding?
  2. Are you saying that the "fix" as published on the Internet is too simple? On the surface, it appears to lack the kind of complexity that demands over a week of testing by an organization with arguably the greatest software development resources in the world.
  1. December 28, 2005. Make a matrix of all the versions of windows, all the service packs, and all the products and then ask yourself how long it takes to setup machines for these and test them. It's in the 1,000's of combinations.
  2. The fix provided on the net seems to work, but hasn't been completely tested. I did find one instance of it making IE and WMP to fail to launch this morning until I uninstalled it and re-booted (my own machine).
__________________
Mike - A forum post should be like a skirt. Long enough to cover the subject material, but short enough to keep things interesting.
"It's not about the odds, it's about the stakes." -
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.

Last edited by Toyman; 01-04-2006 at 11:00..
Toyman is offline   Reply With Quote
Old 01-04-2006, 11:01   #13
nickg
Senior Member
 
nickg's Avatar
 
Join Date: Jan 2002
Posts: 4,460
here is an interesting story about AV products who have been testing the WMF problem.
------------------------------------------------------------------------------

http://www.edbott.com/weblog/?p=1191

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

These products detected fewer variants:

* 62 — eTrust-VET
* 62 — QuickHeal
* 61 — AntiVir
* 61 — Dr Web
* 61 — Kaspersky
* 60 — AVG
* 19 — Command
* 19 — F-Prot
* 11 — Ewido
* 7 — eSafe
* 7 — eTrust-INO
* 6 — Ikarus
* 6 — VBA32
* 0 — Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.
__________________
I may be wrong, but I'm not wrong long.
nickg is offline   Reply With Quote
Old 01-06-2006, 19:26   #14
johnstrr
In the Garden
 
johnstrr's Avatar
 
Join Date: Oct 2005
Posts: 591
MS Patch is now out.. install it, reboot and then uninstall the other one.. it is something like "WMF... MFI.. Hotfix" or something like that.
johnstrr is offline   Reply With Quote
Old 01-06-2006, 20:03   #15
epsylum
Boolit Hoze
 
epsylum's Avatar
 
Join Date: Sep 2004
Location: Racing Capital, USA
Posts: 14,373


Quote:
Originally posted by johnstrr
MS Patch is now out.. install it, reboot and then uninstall the other one.. it is something like "WMF... MFI.. Hotfix" or something like that.
I left my computer on last night. It updated by itself.
__________________
Quote:
What are you having trouble with? I'll teach it some respect.
Epsylum (EE-SAI-LUM)

To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
epsylum is offline   Reply With Quote

 
  
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT -6. The time now is 15:01.




Homepage
FAQ
Forums
Calendar
Advertise
Gallery
GT Wiki
GT Blogs
Social Groups
Classifieds


Users Currently Online: 1,016
306 Members
710 Guests

Most users ever online: 2,672
Aug 11, 2014 at 2:31